Can't validate app signature

[mlbiam]

I've written an implementation using the java SDK at https://github.com/mlbiam/unison-auth-duo/blob/master/src/main/java/com/tremolosecurity/proxy/auth/DuoSecLogin.java and am running into issues validating the app response. The auth response runs fine. I was also able to use the demo app without issue. Have triple checked the various parameters. How do I go about debugging this? Here's the stack trace:

Caused by: com.duosecurity.duoweb.DuoWebException: Invalid response
    at com.duosecurity.duoweb.DuoWeb.parseVals(DuoWeb.java:109) ~[unison-auth-duo-1.0.17.jar:?]
    at com.duosecurity.duoweb.DuoWeb.verifyResponse(DuoWeb.java:74) ~[unison-auth-duo-1.0.17.jar:?]
    at com.duosecurity.duoweb.DuoWeb.verifyResponse(DuoWeb.java:61) ~[unison-auth-duo-1.0.17.jar:?]
    at com.tremolosecurity.proxy.auth.DuoSecLogin.doPost(DuoSecLogin.java:106) ~[unison-auth-duo-1.0.17.jar:?]
    ... 39 more

[BradleyHiggins]

Thanks for using Duo!

The first thing I would check (maybe rerun your tests with some extra debugging output) is that the akey is correct. Here's how I read your stack trace:

line com.duosecurity.duoweb.DuoWeb.parseVals(DuoWeb.java:109) looks like this:

        if (!Util.hmacSign(key, sig).equals(Util.hmacSign(key, u_sig))) {
            throw new DuoWebException("Invalid response");
        }

So, a signature verification check is failing. There are 2 signature verification checks on a response, and the one that's failing is shown in the next line of the stack trace - com.duosecurity.duoweb.DuoWeb.verifyResponse(DuoWeb.java:74)

        app_user = parseVals(akey, app_sig, APP_PREFIX, ikey, time);

This is the akey check. You can learn more about the akey on our documentation here: https://duo.com/docs/duoweb#1.-generate-an-akey

Please check that you're using the same akey during the verification check (the verfiyResponse call) that you used when creating the authentication request (the signRequest call).

[mlbiam]

Validated the akeys are the exact same. What else can I look at? I know the akey its self works because it works in the demo app.

[mlbiam]

Added some debug messages in the duo code it looks like the data being passed into the Util.hmac sign is different:

sig - dcfa0591afb194430826d519d04566f16d2b4a0f u_sig - dcfa0591afb194430826d519d04566f16d2b4a0f>

that extra ">" has to be the issue. Everything else lines up.

[mlbiam]

The extra ">" is in the original sig_response parameter submitted by the duo js

[mlbiam]

I found the issue. My sig_request had an extra > in it in the jsp file that generates the duo frame. Whats odd is that duo didn't request the sig_request for being malformed. Is that a bug in DUO's server side platform?

[AaronAtDuo]

Hi @mlbiam. The reason this worked is because the extra character was at the end of the sig_request, which is the application's signature portion. This piece is not used by Duo, the Duo cloud service just returns that portion unchanged, so the application can verify the response was not tampered with.

Take a look at line 56 of the DuoWeb file: https://github.com/duosecurity/duo_java/blob/master/DuoWeb/src/main/java/com/duosecurity/duoweb/DuoWeb.java#L56 Duo only uses the duo_sig portion, and since that was correct and did not have anything accidentally added to it, the Duo side checked out just fine.

Hopefully that clarifies things, let us know if you have any further questions. And thanks for using Duo!

[AaronAtDuo]

Cleaning up old issues, this looks like it was resolved.